From: kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org
To: "Noralf Trønnes" <noralf-L59+Z2yzLopAfugRpC6u6w@public.gmane.org>,
"Mark Brown" <broonie-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
linux-spi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Martin Sperl <kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
Subject: [PATCH] spi: fix race freeing dummy_tx/rx before it is unmapped
Date: Sun, 10 May 2015 07:50:45 +0000 [thread overview]
Message-ID: <1431244245-2880-1-git-send-email-kernel@martin.sperl.org> (raw)
In-Reply-To: <20150508221309.GK2761-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
From: Martin Sperl <kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
Fix a race (with some kernel configurations) where a queued
master->pump_messages runs and frees dummy_tx/rx before
spi_unmap_msg is running (or is finished).
This results in the following messages:
BUG: Bad page state in process
page:db7ba030 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x200(arch_1)
page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
...
Reported-by: Noralf Trønnes <noralf-L59+Z2yzLopAfugRpC6u6w@public.gmane.org>
Suggested-by: Noralf Trønnes <noralf-L59+Z2yzLopAfugRpC6u6w@public.gmane.org>
Tested-by: Noralf Trønnes <noralf-L59+Z2yzLopAfugRpC6u6w@public.gmane.org>
Signed-off-by: Martin Sperl <kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
---
drivers/spi/spi.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Note that I am not 100% sure if the spinlock is really needed to read
cur_msg, but as it was there I left it as is and just moved the
scheduling and assignments down after sg_unmap and unprepare_message.
Noralf also sugested removing the first locking and my testing shows
that I was unable to trigger any issues with locking removed for the
assignemnt of mesg but there still may be a possibilty...
Also note that if you leave cur_message = NULL assignement on top, then
there is another race were other drivers submitting spi_messages and thus
triggering spi_pump while we still are cleaning up the old message.
This is because pump_message stops if it finds cur_message to be still
asigned.
Tested with the following devices on the same bus and all active:
* 2x mcp2515
* 1x enc28j60
* 1x fb_st7735r
Communication on reporting/testing by Noralf can get reviewed at:
https://github.com/raspberrypi/linux/issues/959#issuecomment-100391599 and
https://github.com/msperl/spi-bcm2835/issues/13#issuecomment-87210385
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 50910d8..d35c1a1 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -988,9 +988,6 @@ void spi_finalize_current_message(struct spi_master *master)
spin_lock_irqsave(&master->queue_lock, flags);
mesg = master->cur_msg;
- master->cur_msg = NULL;
-
- queue_kthread_work(&master->kworker, &master->pump_messages);
spin_unlock_irqrestore(&master->queue_lock, flags);
spi_unmap_msg(master, mesg);
@@ -1003,9 +1000,13 @@ void spi_finalize_current_message(struct spi_master *master)
}
}
- trace_spi_message_done(mesg);
-
+ spin_lock_irqsave(&master->queue_lock, flags);
+ master->cur_msg = NULL;
master->cur_msg_prepared = false;
+ queue_kthread_work(&master->kworker, &master->pump_messages);
+ spin_unlock_irqrestore(&master->queue_lock, flags);
+
+ trace_spi_message_done(mesg);
mesg->state = NULL;
if (mesg->complete)
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe linux-spi" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2015-05-10 7:50 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8C375B28-1C09-4545-8A5B-78F6CD04102F@martin.sperl.org>
[not found] ` <8C375B28-1C09-4545-8A5B-78F6CD04102F-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-09 6:40 ` spi: race in spi_finalize_current_message starting queue_kthread_work before the message is unmapped Martin Sperl
[not found] ` <3374181B-61BE-4DAA-9D92-68B43BEF3E1D-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-13 7:52 ` Lee Jones
2015-05-13 11:47 ` Mark Brown
[not found] ` <20150508221309.GK2761@sirena.org.uk>
[not found] ` <20150508221309.GK2761-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2015-05-09 6:40 ` Martin Sperl
[not found] ` <352560EA-A323-449B-8F37-6066328D2081-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-11 18:00 ` Mark Brown
[not found] ` <20150511180016.GU3458-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2015-05-11 19:27 ` Martin Sperl
[not found] ` <8F4019F0-7C56-4C9C-9193-A2A23B533165-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-12 10:20 ` Mark Brown
[not found] ` <20150512102034.GM2761-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2015-05-12 12:07 ` Martin Sperl
[not found] ` <5551ECF9.1050006-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-12 16:50 ` Mark Brown
[not found] ` <20150512165053.GE3066-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2015-05-14 9:49 ` Martin Sperl
2015-05-14 9:58 ` [PATCH] spi: SPI_MASTER_MUST_* with scatter-gather only option and avoiding realloc kernel-TqfNSX0MhmxHKSADF0wUEw
[not found] ` <1431597524-7907-1-git-send-email-kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-14 11:19 ` Martin Sperl
2015-05-19 12:46 ` Mark Brown
[not found] ` <20150519124632.GN2761-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2015-05-19 14:17 ` Martin Sperl
[not found] ` <CA52E701-A9BF-45F1-AE2A-CD3E680CEAFC-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-22 11:34 ` Mark Brown
[not found] ` <20150522113421.GE21391-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2015-05-22 14:09 ` Martin Sperl
[not found] ` <2B971A09-33E3-42BC-B13D-49B6DD3D2E7A-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-24 9:34 ` [PATCH] spi: add missing cleanup in spi_map_msg on error kernel-TqfNSX0MhmxHKSADF0wUEw
[not found] ` <1432460086-2549-1-git-send-email-kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-25 10:10 ` [PATCH V2] " kernel-TqfNSX0MhmxHKSADF0wUEw
[not found] ` <1432548630-2202-1-git-send-email-kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-25 13:05 ` Mark Brown
2015-05-25 12:44 ` [PATCH 0/4] dma map single page multiple times in sg_list kernel-TqfNSX0MhmxHKSADF0wUEw
[not found] ` <1432557867-2427-1-git-send-email-kernel-TqfNSX0MhmxHKSADF0wUEw@public.gmane.org>
2015-05-25 12:44 ` [PATCH 1/4] spi: dma map a single page multiple times in sg_list for rx/tx_buf == NULL kernel-TqfNSX0MhmxHKSADF0wUEw
2015-05-25 12:44 ` [PATCH 2/4] spi: bcm2835: no longer requires SPI_MASTER_MUST_RX/TX kernel-TqfNSX0MhmxHKSADF0wUEw
2015-05-25 12:44 ` [PATCH 3/4] spi: add flags SPI_MASTER_MUST_*_SG to api kernel-TqfNSX0MhmxHKSADF0wUEw
2015-05-25 12:44 ` [PATCH 4/4] spi: bcm2835: set SPI_MASTER_MUST_RX_SG/TX_SG flags kernel-TqfNSX0MhmxHKSADF0wUEw
2015-05-10 7:50 ` kernel-TqfNSX0MhmxHKSADF0wUEw [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1431244245-2880-1-git-send-email-kernel@martin.sperl.org \
--to=kernel-tqfnsx0mhmxhksadf0wuew@public.gmane.org \
--cc=broonie-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=linux-spi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=noralf-L59+Z2yzLopAfugRpC6u6w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).